Version in base suite: 1.35.13-1~deb11u1 Base version: mediawiki_1.35.13-1~deb11u1 Target version: mediawiki_1.35.13-1+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mediawiki/mediawiki_1.35.13-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mediawiki/mediawiki_1.35.13-1+deb11u2.dsc changelog | 7 patches/0002-SECURITY-Limit-subpages-displayed-on-Special-MovePag.patch | 101 ++++++++++ patches/series | 1 3 files changed, 109 insertions(+) diff -Nru mediawiki-1.35.13/debian/changelog mediawiki-1.35.13/debian/changelog --- mediawiki-1.35.13/debian/changelog 2023-10-09 18:40:48.000000000 +0000 +++ mediawiki-1.35.13/debian/changelog 2024-03-29 12:48:41.000000000 +0000 @@ -1,3 +1,10 @@ +mediawiki (1:1.35.13-1+deb11u2) bullseye-security; urgency=medium + + * Cherry-pick upstream patch fixing T357760 (DoS in Special:MovePage, + CVE pending). + + -- Taavi Väänänen Fri, 29 Mar 2024 14:48:41 +0200 + mediawiki (1:1.35.13-1~deb11u1) bullseye-security; urgency=medium * New upstream version 1.35.13, fixing CVE-2023-3550, diff -Nru mediawiki-1.35.13/debian/patches/0002-SECURITY-Limit-subpages-displayed-on-Special-MovePag.patch mediawiki-1.35.13/debian/patches/0002-SECURITY-Limit-subpages-displayed-on-Special-MovePag.patch --- mediawiki-1.35.13/debian/patches/0002-SECURITY-Limit-subpages-displayed-on-Special-MovePag.patch 1970-01-01 00:00:00.000000000 +0000 +++ mediawiki-1.35.13/debian/patches/0002-SECURITY-Limit-subpages-displayed-on-Special-MovePag.patch 2024-03-29 12:48:41.000000000 +0000 @@ -0,0 +1,101 @@ +From 9fae3714fd89190022b0b9888ad4be89b9bf024d Mon Sep 17 00:00:00 2001 +From: Dreamy Jazz +Date: Sun, 18 Feb 2024 23:13:16 +0000 +Subject: [PATCH] SECURITY: Limit subpages displayed on Special:MovePage form + +CVE-2024-PENDING + +Why: +* Special:MovePage shows the list of subpages for the page + provided before the user submits the form. +* There is currently no limit on the number of subpages shown + and as such loading the move page for a page with tens of + thousands of subpages causes request timeouts when trying + to generate the link HTML for each subpage. +* Special:MovePage does not need to display all the subpages + and can limit the list to wgMaximumMovedPages subpages as + the user who submits the form would only move that many + subpages if they specified to move these subpages. +* A user wanting to find the full list can use Special:Prefix + Index which provides paging. + +What: +* Provide a $limit to Title::getSubpages for both calls in + SpecialMovePage::showSubpages. $limit is defined as + $wgMaximumMovedPages plus 1, where the extra subpage is + used to determine if the results were truncated similar to + IndexPager. +* Because i18n modifications in security patches are to be + strongly avoided, hard code the message shown when the + list of subpages is truncated. This should be replaced with + an actual message key when this is publicly uploaded to + Gerrit. + +Bug: T357760 +Change-Id: I78fa0b04d2bc82c8deffa2ed5433eb2563c17962 +--- + includes/specials/SpecialMovepage.php | 28 +++++++++++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +diff --git a/includes/specials/SpecialMovepage.php b/includes/specials/SpecialMovepage.php +index 6d52ce57b9b..5584564101d 100644 +--- a/includes/specials/SpecialMovepage.php ++++ b/includes/specials/SpecialMovepage.php +@@ -827,13 +827,14 @@ class MovePageForm extends UnlistedSpecialPage { + * @param Title $title Page being moved. + */ + private function showSubpages( $title ) { ++ $maximumMovedPages = $this->getConfig()->get( 'MaximumMovedPages' ); + $nsHasSubpages = MediaWikiServices::getInstance()->getNamespaceInfo()-> + hasSubpages( $title->getNamespace() ); + $subpages = $title->getSubpages(); + $count = $subpages instanceof TitleArray ? $subpages->count() : 0; + + $titleIsTalk = $title->isTalkPage(); +- $subpagesTalk = $title->getTalkPage()->getSubpages(); ++ $subpagesTalk = $title->getTalkPage()->getSubpages( $maximumMovedPages + 1 ); + $countTalk = $subpagesTalk instanceof TitleArray ? $subpagesTalk->count() : 0; + $totalCount = $count + $countTalk; + +@@ -864,7 +865,19 @@ class MovePageForm extends UnlistedSpecialPage { + return; + } + +- $out->addWikiMsg( $wikiMsg, $this->getLanguage()->formatNum( $pagecount ) ); ++ $maximumMovedPages = $this->getConfig()->get( 'MaximumMovedPages' ); ++ ++ if ( $pagecount > $maximumMovedPages ) { ++ $subpages = $this->truncateSubpagesList( $subpages ); ++ // TODO: Replace with a message key once this is uploaded to Gerrit. This is hardcoded to avoid ++ // having the i18n rebuilt for all deployments due to this security patch. ++ $out->addWikiTextAsInterface( ++ "The first $maximumMovedPages {{PLURAL:$maximumMovedPages|subpage|subpages}} " . ++ ( $noSubpageMsg ? 'for this page' : 'for the corresponding talk page' ) . ' are shown below.' ++ ); ++ } else { ++ $out->addWikiMsg( $wikiMsg, $this->getLanguage()->formatNum( $pagecount ) ); ++ } + $out->addHTML( "\n" ); + } + ++ private function truncateSubpagesList( iterable $subpages ): array { ++ $returnArray = []; ++ foreach ( $subpages as $subpage ) { ++ $returnArray[] = $subpage; ++ if ( count( $returnArray ) >= $this->getConfig()->get( 'MaximumMovedPages' ) ) { ++ break; ++ } ++ } ++ return $returnArray; ++ } ++ + /** + * Return an array of subpages beginning with $search that this special page will accept. + * +-- +2.43.0 + diff -Nru mediawiki-1.35.13/debian/patches/series mediawiki-1.35.13/debian/patches/series --- mediawiki-1.35.13/debian/patches/series 2023-10-09 18:40:48.000000000 +0000 +++ mediawiki-1.35.13/debian/patches/series 2024-03-29 12:48:41.000000000 +0000 @@ -1 +1,2 @@ 0001-Have-Scribunto-use-packaged-lua5.1-rather-than-bundl.patch +0002-SECURITY-Limit-subpages-displayed-on-Special-MovePag.patch